A, tcpdump Introduction
Linux, tcpdump is a powerful tool cut frame, about the equivalent of wireshark under the windows, but the operating mode is the command line, you need to be familiar Linux command line.
Commonly used Linux distributions are basically already comes with tcpdump, if not you can tcpdump official website to download and install, the official website only provides the source code, you need to download after compiling. Specific compile way not described here.
Two, tcpdump commonly used parameters introduced
The following lists the common parameters of tcpdump:
- -a convert network and broadcast addresses to names
- -A taken to ASCⅡ format data frame
- -C num num intercepted after stopping of data
- -C file-size used in conjunction with -w file, if the file size exceeds, file-size is a newly created file
- -D list all network interfaces may be used to cut tcpdump packet. Serial Interface or interface name can be displayed - i designated
- -q fast output, only the less information
- -w to save the output to a file, you can use wireshark analysis in the windows
- -r packets read from the specified file, typically used for reading the parameter save file -w
- -i specify which network card captured data packets, such as the need to grab all the cards use -i any
- -x displayed in hexadecimal intercepted data frame
- -nnn parameters. When using tcpdump shows -nnn parameters to disable the conversion IP, port and other domain name, well-known port corresponding service name.
Three, tcpdump expression
tcpdump expression which is used to set the packet is printed to the command line, if you do not set all captured network packets will be printed on the filter expression, otherwise, only to meet a conditional expression of the data packet is printed.
In the general expressions There are several types of keywords
About the types of keywords, host, net, port, ip> proto, protochain etc.
Determining a transmission direction key, including src, dst, dst or src, dst and src etc.
Keywords agreement, ip, arp, rarp, tcp, udp>, icmp, http, etc.
The basic format for the expression 协议+[传输方向]+类型+ 具体数值
, see specific examples of the use.
ip src host 192.168.0.1
tcp port 1883
Fourth, examples
Grab a packet of all network adapters
tcpdump -i any
Fetch port 1883 packets
tcp dump -i eth0 port 1883 # 1883 端口的所有数据包 tcp dump -i eth0 tcp port 1883 # 1883 端口的所有tcp数据包 tcp dump -i eth0 udp port 1883 # 1883 端口的所有udp数据包
Ip crawl source packet is 172.30.20.10
tcpdump -i eth0 src host 172.30.20.10
Gripping the destination address packet is 172.30.20.10
tcpdump -i eth0 dst host 172.30.20.10
Ip ripper is 172.30.20.10 and destination port is a packet of 22
tcpdump -i eth0 src host172.30.20.10 and dst port 22
Ip ripper is 172.30.20.10 and destination port is a packet of 22
tcpdump -i eth0 -vnn src host 172.30.20.10 or port 22
Ip is the fetch packet source and destination port is not 172.30.20.10 22
tcpdump -i eth0 -vnn src host 172.30.20.10 and not port 22
Grab packets of eth0 network card and save it to a file
tcpdump -i eth0 -w data.cap
Grab 100 data card eth0 and saved to a file
tcpdump -i eth0 -c 100 -w data.cap
Fetch packet protocol ip
tcpdump -i eth0 ip